Support for al2023 based images

Signed-off-by: Davanum Srinivas <davanum@gmail.com>

Makefile

@@ -74,6 +74,12 @@ ifeq (, $(SHELLCHECK_COMMAND))
 endif
 SHELL_FILES := $(shell find $(MAKEFILE_DIR) -type f -name '*.sh')
 
+.PHONY: transform-al2-to-al2023
+transform-al2-to-al2023:
+	PACKER_TEMPLATE_FILE=$(PACKER_TEMPLATE_FILE) \
+	PACKER_DEFAULT_VARIABLE_FILE=$(PACKER_DEFAULT_VARIABLE_FILE) \
+		hack/transform-al2-to-al2023.sh
+
 .PHONY: lint
 lint: ## Check the source files for syntax and format issues
 	$(SHFMT_COMMAND) $(SHFMT_FLAGS) --diff $(MAKEFILE_DIR)

hack/transform-al2-to-al2023.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+set -o pipefail
+set -o nounset
+set -o errexit
+
+if [[ -z "${PACKER_TEMPLATE_FILE:-}" ]]; then
+  echo "PACKER_TEMPLATE_FILE must be set." >&2
+  exit 1
+fi
+if [[ -z "${PACKER_DEFAULT_VARIABLE_FILE:-}" ]]; then
+  echo "PACKER_DEFAULT_VARIABLE_FILE must be set." >&2
+  exit 1
+fi
+
+# rsa keys are not supported in al2023, switch to ed25519
+# delete the upgrade kernel provisioner as we don't need it for al2023
+cat "${PACKER_TEMPLATE_FILE}" \
+  | jq '._comment = "All template variables are enumerated here; and most variables have a default value defined in eks-worker-al2023-variables.json"' \
+  | jq '.variables.temporary_key_pair_type = "ed25519"' \
+  | jq 'del(.provisioners[5])' \
+    > "${PACKER_TEMPLATE_FILE/al2/al2023}"
+
+# use newer versions of containerd and runc, do not install docker
+# use al2023 6.1 minimal image
+cat "${PACKER_DEFAULT_VARIABLE_FILE}" \
+  | jq '.ami_component_description = "(k8s: {{ user `kubernetes_version` }}, containerd: {{ user `containerd_version` }})"' \
+  | jq '.ami_description = "EKS-optimized Kubernetes node based on Amazon Linux 2023"' \
+  | jq '.containerd_version = "*" | .runc_version = "*" | .docker_version = "" ' \
+  | jq '.source_ami_filter_name = "al2023-ami-minimal-2023.*-kernel-6.1-x86_64"' \
+  | jq '.volume_type = "gp3"' \
+    > "${PACKER_DEFAULT_VARIABLE_FILE/al2/al2023}"

scripts/install-worker.sh

@@ -59,7 +59,6 @@ sudo yum install -y \
   aws-cfn-bootstrap \
   chrony \
   conntrack \
-  curl \
   ec2-instance-connect \
   ethtool \
   ipvsadm \
@@ -73,11 +72,21 @@ sudo yum install -y \
   mdadm \
   pigz
 
-if [[ $(which package-cleanup) ]]; then
+# skip kernel version cleanup on al2023
+if ! cat /etc/*release | grep "al2023" > /dev/null 2>&1; then
   # Remove any old kernel versions. `--count=1` here means "only leave 1 kernel version installed"
   sudo package-cleanup --oldkernels --count=1 -y
 fi
 
+# packages that need special handling
+if cat /etc/*release | grep "al2023" > /dev/null 2>&1; then
+  # exists in al2023 only (needed by kubelet)
+  sudo yum install -y iptables-legacy
+else
+  # curl-minimal already exists in al2023 so install curl only on al2
+  sudo yum install -y curl
+fi
+
 sudo yum versionlock kernel-$(uname -r)
 
 # Remove the ec2-net-utils package, if it's installed. This package interferes with the route setup on the instance.

scripts/validate.sh

@@ -45,40 +45,40 @@ else
   exit 1
 fi
 
-echo "Verifying that the package versionlocks are correct..."
-
 function versionlock-entries() {
-  if [ -f "/etc/dnf/plugins/versionlock.conf" ]; then
-    # the format of this output in al2023 is NAME-EPOCH:VERSION-RELEASE.ARCH
-    # rpm works fine with this format
-    yum versionlock list --quiet
-  else
-    # the format of this output is EPOCH:NAME-VERSION-RELEASE.ARCH
-    # more info in yum-versionlock(1)
-    # rpm doesn't accept EPOCH when querying the db, so remove it
-    yum versionlock list --quiet | cut -d ':' -f2
-  fi
+  # the format of this output is EPOCH:NAME-VERSION-RELEASE.ARCH
+  # more info in yum-versionlock(1)
+  # rpm doesn't accept EPOCH when querying the db, so remove it
+  yum versionlock list --quiet | cut -d ':' -f2
 }
 
 function versionlock-packages() {
   versionlock-entries | xargs -I '{}' rpm --query '{}' --queryformat '%{NAME}\n'
 }
 
-for ENTRY in $(versionlock-entries); do
-  if ! rpm --query "$ENTRY" &> /dev/null; then
-    echo "There is no package matching the versionlock entry: '$ENTRY'"
-    exit 1
+function verify-versionlocks() {
+  for ENTRY in $(versionlock-entries); do
+    if ! rpm --query "$ENTRY" &> /dev/null; then
+      echo "There is no package matching the versionlock entry: '$ENTRY'"
+      exit 1
+    fi
+  done
+
+  LOCKED_PACKAGES=$(versionlock-packages | wc -l)
+  UNIQUE_LOCKED_PACKAGES=$(versionlock-packages | sort -u | wc -l)
+  if [ $LOCKED_PACKAGES -ne $UNIQUE_LOCKED_PACKAGES ]; then
+    echo "Package(s) have multiple version locks!"
+    versionlock-entries
   fi
-done
 
-LOCKED_PACKAGES=$(versionlock-packages | wc -l)
-UNIQUE_LOCKED_PACKAGES=$(versionlock-packages | sort -u | wc -l)
-if [ $LOCKED_PACKAGES -ne $UNIQUE_LOCKED_PACKAGES ]; then
-  echo "Package(s) have multiple version locks!"
-  versionlock-entries
-fi
+  echo "Package versionlocks are correct!"
+}
 
-echo "Package versionlocks are correct!"
+# run verify-versionlocks on al2 only, as it is not needed on al2023
+if ! cat /etc/*release | grep "al2023" > /dev/null 2>&1; then
+  echo "Verifying that the package versionlocks are correct..."
+  verify-versionlocks
+fi
 
 REQUIRED_COMMANDS=(unpigz)